Business Associate Agreement

Effective Date: March 1, 2026

This Business Associate Agreement (“BAA”) is available for Enterprise customers upon request and governs the handling of Protected Health Information (PHI) in connection with The Clinical Index services.

Important Notice

The Clinical Index does not process Protected Health Information (PHI) in its standard service.

Our platform analyzes supplement product data — ingredients, doses, marketing claims — not patient health records. The data we process relates to commercial products, not individual consumers or patients.

This BAA is available for Enterprise customers who require one as part of their organizational compliance program, or in cases where customer-uploaded materials may incidentally contain PHI.

1. Definitions

  • “Business Associate” means The Clinical Index, which performs services on behalf of the Covered Entity that involve the use or disclosure of Protected Health Information.
  • “Covered Entity” means the customer organization that is subject to HIPAA regulations and enters into this BAA.
  • “Protected Health Information” (PHI) means individually identifiable health information as defined under 45 CFR 160.103.
  • “Electronic Protected Health Information” (ePHI) means PHI that is transmitted or maintained in electronic media.

2. Scope

This BAA applies to any PHI that the Business Associate may create, receive, maintain, or transmit on behalf of the Covered Entity in the course of providing clinical evidence verification services. The scope is limited to any incidental PHI exposure through customer-uploaded materials such as product labels, certificates of analysis, or supporting documentation that may contain individually identifiable health information.

3. Obligations of the Business Associate

The Business Associate agrees to:

  • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.
  • Encrypt all ePHI in transit (TLS 1.3) and at rest (AES-256 encryption).
  • Maintain access controls that limit PHI access to authorized personnel only, including row-level security policies in the database layer.
  • Report to the Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware.
  • Ensure that any agents or sub-contractors to whom it provides PHI agree to the same restrictions and conditions.
  • Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.

4. Permitted Uses and Disclosures

The Business Associate may use or disclose PHI only as necessary to:

  • Perform the clinical evidence verification services contracted by the Covered Entity.
  • Carry out its management and administration functions.
  • Comply with applicable legal requirements.

The Business Associate shall not use or disclose PHI for any purpose other than those listed above or as required by law. PHI is never used for marketing, research, or AI model training purposes.

5. Individual Rights

The Business Associate will cooperate with the Covered Entity to fulfill individual rights requests under HIPAA, including the right of access to PHI, the right to request amendment of PHI, and the right to an accounting of disclosures. The Business Associate will respond to the Covered Entity's requests for assistance within 10 business days.

6. Breach Notification

In the event of a breach of unsecured PHI, the Business Associate will notify the Covered Entity without unreasonable delay and in no case later than 60 calendar days from discovery of the breach. The notification will include identification of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed during the breach, as well as a description of the breach, the types of PHI involved, and the corrective actions taken.

7. Term and Termination

This BAA shall be effective for the duration of the service agreement between the parties. Either party may terminate this BAA if the other party materially breaches any provision and fails to cure the breach within 30 days of written notice.

Upon termination, the Business Associate will return or destroy all PHI received from or created on behalf of the Covered Entity within 30 days. If return or destruction is not feasible, the Business Associate will extend the protections of this BAA to any retained PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

8. Contact

For questions about this Business Associate Agreement, to request execution of a BAA for your organization, or for any HIPAA-related inquiries, please contact us at: legal@theclinicalindex.com